Verifying Captured Objects Before Presentation

ABSTRACT

Objects can be extracted from data flows captured by a capture device. Each captured object can then be classified according to content. Meta-data about captured objects can be stored in a tag. In one embodiment, the present invention includes receiving a request to present a previously captured object to a user, accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature, and verifying that the object has not been altered since capture using the object signature before presenting the object to the user.

PRIORITY AND RELATED APPLICATIONS

This patent application is related to, incorporates by reference, andclaims the priority benefit of U.S. Provisional Application 60/528,644,entitled “VERIFYING CAPTURED OBJECTS BEFORE PRESENTATION”, filed Dec.10, 2003.

FIELD OF THE INVENTION

The present invention relates to computer networks, and in particular,to secure storing of captured objects.

BACKGROUND

Computer networks and systems have become indispensable tools for modernbusiness. Modern enterprises use such networks for communications andfor storage. The information and data stored on the network of abusiness enterprise is often a highly valuable asset. Modern enterprisesuse numerous tools to keep outsiders, intruders, and unauthorizedpersonnel from accessing valuable information stored on the network.These tools include firewalls, intrusion detection systems, and packetsniffer devices. However, once an intruder has gained access tosensitive content, there is no network device that can prevent theelectronic transmission of the content from the network to outside thenetwork. Similarly, there is no network device that can analyse the dataleaving the network to monitor for policy violations, and make itpossible to track down information leeks. What is needed is acomprehensive system to capture, store, and analyse all datacommunicated using the enterprises network.

SUMMARY OF THE INVENTION

Objects can be extracted from data flows captured by a capture device.Each captured object can then be classified according to content.Meta-data about captured objects can be stored in a tag. In oneembodiment, the present invention includes receiving a request topresent a previously captured object to a user, accessing a tagassociated with the requested object, the tag containing metadatarelated to the object, the metadata including an object signature, andverifying that the object has not been altered since capture using theobject signature before presenting the object to the user.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings in which likereference numerals refer to similar elements and in which:

FIG. 1 is a block diagram illustrating a computer network connected tothe Internet;

FIG. 2 is a block diagram illustrating one configuration of a capturesystem according to one embodiment of the present invention;

FIG. 3 is a block diagram illustrating the capture system according toone embodiment of the present invention;

FIG. 4 is a block diagram illustrating an object assembly moduleaccording to one embodiment of the present invention;

FIG. 5 is a block diagram illustrating an object store module accordingto one embodiment of the present invention;

FIG. 6 is a block diagram illustrating an example hardware architecturefor a capture system according to one embodiment of the presentinvention; and

FIG. 7 is a flow diagram illustrating object presentation according toone embodiment of the present invention.

DETAILED DESCRIPTION

Although the present system will be discussed with reference to variousillustrated examples, these examples should not be read to limit thebroader spirit and scope of the present invention. Some portions of thedetailed description that follows are presented in terms of algorithmsand symbolic representations of operations on data within a computermemory. These algorithmic descriptions and representations are the meansused by those skilled in the computer science arts to most effectivelyconvey the substance of their work to others skilled in the art. Analgorithm is here, and generally, conceived to be a self-consistentsequence of steps leading to a desired result. The steps are thoserequiring physical manipulations of physical quantities. Usually, thoughnot necessarily, these quantities take the form of electrical ormagnetic signals capable of being stored, transferred, combined,compared and otherwise manipulated.

It has proven convenient at times, principally for reasons of commonusage, to refer to these signals as bits, values, elements, symbols,characters, terms, numbers or the like. It should be borne in mind,however, that all of these and similar terms are to be associated withthe appropriate physical quantities and are merely convenient labelsapplied to these quantities. Unless specifically stated otherwise, itwill be appreciated that throughout the description of the presentinvention, use of terms such as “processing”, “computing”,“calculating”, “determining”, “displaying” or the like, refer to theaction and processes of a computer system, or similar electroniccomputing device, that manipulates and transforms data represented asphysical (electronic) quantities within the computer system's registersand memories into other data similarly represented as physicalquantities within the computer system memories or registers or othersuch information storage, transmission or display devices.

As indicated above, one embodiment of the present invention isinstantiated in computer software, that is, computer readableinstructions, which, when executed by one or more computerprocessors/systems, instruct the processors/systems to perform thedesignated actions. Such computer software may be resident in one ormore computer readable media, such as hard drives, CD-ROMs, DVD-ROMs,read-only memory, read-write memory and so on. Such software may bedistributed on one or more of these media, or may be made available fordownload across one or more computer networks (e.g., the Internet).Regardless of the format, the computer programming, rendering andprocessing techniques discussed herein are simply examples of the typesof programming, rendering and processing techniques that may be used toimplement aspects of the present invention. These examples should in noway limit the present invention, which is best understood with referenceto the claims that follow this description.

Networks

FIG. 1 illustrates a simple prior art configuration of a local areanetwork (LAN) 10 connected to the Internet 12. Connected to the LAN 102are various components, such as servers 14, clients 16, and switch 18.There are numerous other known networking components and computingdevices that can be connected to the LAN 10. The LAN 10 can beimplemented using various wireline or wireless technologies, such asEthernet and 802.11b. The LAN 10 may be much more complex than thesimplified diagram in FIG. 1, and may be connected to other LANs aswell.

In FIG. 1, the LAN 10 is connected to the Internet 12 via a router 20.This router 20 can be used to implement a firewall, which are widelyused to give users of the LAN 10 secure access to the Internet 12 aswell as to separate a company's public Web server (can be one of theservers 14) from its internal network, i.e., LAN 10. In one embodiment,any data leaving the LAN 10 towards the Internet 12 must pass throughthe router 12. However, there the router 20 merely forwards packets tothe Internet 12. The router 20 cannot capture, analyze, and searchablystore the content contained in the forwarded packets.

One embodiment of the present invention is now illustrated withreference to FIG. 2. FIG. 2 shows the same simplified configuration ofconnecting the LAN 10 to the Internet 12 via the router 20. However, inFIG. 2, the router 20 is also connected to a capture system 22. In oneembodiment, the router 12 splits the outgoing data stream, and forwardsone copy to the Internet 12 and the other copy to the capture system 22.

There are various other possible configurations. For example, the router12 can also forward a copy of all incoming data to the capture system 22as well. Furthermore, the capture system 22 can be configuredsequentially in front of, or behind the router 20, however this makesthe capture system 22 a critical component in connecting to the Internet12. In systems where a router 12 is not used at all, the capture systemcan be interposed directly between the LAN 10 and the Internet 12. Inone embodiment, the capture system 22 has a user interface accessiblefrom a LAN-attached device, such as a client 16.

In one embodiment, the capture system 22 intercepts all data leaving thenetwork. In other embodiments, the capture system can also intercept alldata being communicated inside the network 10. In one embodiment, thecapture system 22 reconstructs the documents leaving the network 10, andstores them in a searchable fashion. The capture system 22 can then beused to search and sort through all documents that have left the network10. There are many reasons such documents may be of interest, includingnetwork security reasons, intellectual property concerns, corporategovernance regulations, and other corporate policy concerns.

Capture System

One embodiment of the present invention is now described with referenceto FIG. 3. FIG. 3 shows one embodiment of the capture system 22 in moredetail. The capture system 22 includes a network interface module 24 toreceive the data from the network 10 or the router 20. In oneembodiment, the network interface module 24 is implemented using one ormore network interface cards (NIC), e.g., Ethernet cards. In oneembodiment, the router 20 delivers all data leaving the network to thenetwork interface module 24.

The captured raw data is then passed to a packet capture module 26. Inone embodiment, the packet capture module 26 extracts data packets fromthe data stream received from the network interface module 24. In oneembodiment, the packet capture module 26 reconstructs Ethernet packetsfrom multiple sources to multiple destinations for the raw data stream.

In one embodiment, the packets are then provided the object assemblymodule 28. The object assembly module 28 reconstructs the objects beingtransmitted by the packets. For example, when a document is transmitted,e.g. as an email attachment, it is broken down into packets according tovarious data transfer protocols such as Transmission ControlProtocol/Internet Protocol (TCP/IP) and Ethernet. The object assemblymodule 28 can reconstruct the document from the captured packets.

One embodiment of the object assembly module 28 is now described in moredetail with reference to FIG. 4. When packets first enter the objectassembly module, they are first provided to a reassembler 36. In oneembodiment, the reassembler 36 groups—assembles—the packets into uniqueflows. For example, a flow can be defined as packets with identicalSource IP and Destination IP addresses as well as identical TCP Sourceand Destination Ports. That is, the reassembler 36 can organize a packetstream by sender and recipient.

In one embodiment, the reassembler 36 begins a new flow upon theobservation of a starting packet defined by the data transfer protocol.For a TCP/IP embodiment, the starting packet is generally referred to asthe “SYN” packet. The flow can terminate upon observation of a finishingpacket, e.g., a “Reset” or “FIN” packet in TCP/IP. If now finishingpacket is observed by the reassembler 36 within some time constraint, itcan terminate the flow via a timeout mechanism. In an embodiment usingthe TPC protocol, a TCP flow contains an ordered sequence of packetsthat can be assembled into a contiguous data stream by the reassembler36. Thus, in one embodiment, a flow is an ordered data stream of asingle communication between a source and a destination.

The flown assembled by the reassembler 36 can then be provided to aprotocol demultiplexer (demux) 38. In one embodiment, the protocol demux38 sorts assembled flows using the TCP Ports. This can includeperforming a speculative classification of the flow contents based onthe association of well-known port numbers with specified protocols. Forexample, Web Hyper Text Transfer Protocol (HTTP) packets—i.e., Webtraffic—are typically associated with port 80, File Transfer Protocol(FTP) packets with port 20, Kerberos authentication packets with port88, and so on. Thus in one embodiment, the protocol demux 38 separatesall the different protocols in one flow.

In one embodiment, a protocol classifier 40 also sorts the flows inaddition to the protocol demux 38. In one embodiment, the protocolclassifier 40—operating either in parallel or in sequence with theprotocol demux 38—applies signature filters to the flows to attempt toidentify the protocol based solely on the transported data. Furthermore,the protocol demux 38 can make a classification decision based on portnumber which is subsequently overridden by protocol classifier 40. Forexample, if an individual or program attempted to masquerade an illicitcommunication (such as file sharing) using an apparently benign portsuch as port 80 (commonly used for HTTP Web browsing), the protocolclassifier 40 would use protocol signatures, i.e., the characteristicdata sequences of defined protocols, to verify the speculativeclassification performed by protocol demux 38.

In one embodiment, the object assembly module 28 outputs each floworganized by protocol, which represent the underlying objects. Referringagain to FIG. 3, these objects can then be handed over to the objectclassification module 30 (sometimes also referred to as the “contentclassifier”) for classification based on content. A classified flow maystill contain multiple content objects depending on the protocol used.For example, protocols such as HTTP (Internet Web Surfing) may containover 100 objects of any number of content types in a single flow. Todeconstruct the flow, each object contained in the flow is individuallyextracted, and decoded, if necessary, by the object classificationmodule 30.

The object classification module 30 uses the inherent properties andsignatures of various documents to determine the content type of eachobject. For example, a Word document has a signature that is distinctfrom a PowerPoint document, or an Email document. The objectclassification module 30 can extract out each individual object and sortthem out by such content types. Such classification renders the presentinvention immune from cases where a malicious user has altered a fileextension or other property in an attempt to avoid detection of illicitactivity.

In one embodiment, the object classification module 30 determineswhether each object should be stored or discarded. In one embodiment,this determination is based on a various capture rules. For example, acapture rule can indicate that Web Traffic should be discarded. Anothercapture rule can indicate that all PowerPoint documents should bestored, except for ones originating from the CEO's IP address. Suchcapture rules can be implemented as regular expressions, or by othersimilar means. Several embodiments of the object classification module30 are described in more detail further below.

In one embodiment, the capture rules are authored by users of thecapture system 22. The capture system 22 is made accessible to anynetwork-connected machine through the network interface module 24 anduser interface 34. In one embodiment, the user interface 34 is agraphical user interface providing the user with friendly access to thevarious features of the capture system 22. For example, the userinterface 34 can provide a capture rule authoring tool that allows usersto write and implement any capture rule desired, which are then appliedby the object classification module 30 when determining whether eachobject should be stored. The user interface 34 can also providepre-configured capture rules that the user can select from along with anexplanation of the operation of such standard included capture rules. Inone embodiment, the default capture rule implemented by the objectclassification module 30 captures all objects leaving the network 10.

If the capture of an object is mandated by the capture rules, the objectclassification module 30 can also determine where in the object storemodule 32 the captured object should be stored. With reference to FIG.5, in one embodiment, the objects are stored in a content store 44memory block. Within the content store 44 are files 46 divided up bycontent type. Thus, for example, if the object classification moduledetermines that an object is a Word document that should be stored, itcan store it in the file 46 reserved for Word documents. In oneembodiment, the object store module 32 is integrally included in thecapture system 22. In other embodiments, the object store module can beexternal—entirely or in part—using, for example, some network storagetechnique such as network attached storage (NAS) and storage areanetwork (SAN).

Tag Data Structure

In one embodiment, the content store is a canonical storage location,simply a place to deposit the captured objects. The indexing of theobjects stored in the content store 44 is accomplished using a tagdatabase 42. In one embodiment, the tag database 42 is a database datastructure in which each record is a “tag” that indexes an object in thecontent store 44 and contains relevant information about the storedobject. An example of a tag record in the tag database 42 that indexesan object stored in the content store 44 is set forth in Table 1:

TABLE 1 Field Name Definition MAC Address Ethernet controller MACaddress unique to each capture system Source IP Source Ethernet IPAddress of object Destination IP Destination Ethernet IP Address ofobject Source Port Source TCP/IP Port number of object Destination PortDestination TCP/IP Port number of the object Protocol IP Protocol thatcarried the object Instance Canonical count identifying object within aprotocol capable of carrying multiple data within a single TCP/IPconnection Content Content type of the object Encoding Encoding used bythe protocol carrying object Size Size of object Timestamp Time that theobject was captured Owner User requesting the capture of object (ruleauthor) Configuration Capture rule directing the capture of objectSignature Hash signature of object Tag Signature Hash signature of allpreceding tag fields

There are various other possible tag fields, and some embodiments canomit numerous tag fields listed in Table 1. In other embodiments, thetag database 42 need not be implemented as a database, and a tag neednot be a record. Any data structure capable of indexing an object bystoring relational data over the object can be used as a tag datastructure. Furthermore, the word “tag” is merely descriptive, othernames such as “index” or “relational data store,” would be equallydescriptive, as would any other designation performing similarfunctionality.

The mapping of tags to objects can, in one embodiment, be obtained byusing unique combinations of tag fields to construct an object's name.For example, one such possible combination is an ordered list of theSource IP, Destination IP, Source Port, Destination Port, Instance andTimestamp. Many other such combinations including both shorter andlonger names are possible. In another embodiment, the tag can contain apointer to the storage location where the indexed object is stored.

The tag fields shown in Table 1 can be expressed more generally, toemphasize the underlying information indicated by the tag fields invarious embodiments. Some of these possible generic tag fields are setforth in Table 2:

TABLE 2 Field Name Definition Device Identity Identifier of capturedevice Source Address Origination Address of object Destination AddressDestination Address of object Source Port Origination Port of objectDestination Port Destination Port of the object Protocol Protocol thatcarried the object Instance Canonical count identifying object within aprotocol capable of carrying multiple data within a single connectionContent Content type of the object Encoding Encoding used by theprotocol carrying object Size Size of object Timestamp Time that theobject was captured Owner User requesting the capture of object (ruleauthor) Configuration Capture rule directing the capture of objectSignature Signature of object Tag Signature Signature of all precedingtag fields

For many of the above tag fields in Tables 1 and 2, the definitionadequately describes the relational data contained by each field. Forthe content field, the types of content that the object can be labeledas are numerous. Some example choices for content types (as determined,in one embodiment, by the object classification module 30) are JPEG,GIF, BMP, TIFF, PNG (for objects containing images in these variousformats); Skintone (for objects containing images exposing human skin);PDF, MSWord, Excel, PowerPoint, MSOffice (for objects in these popularapplication formats); HTML, WebMail, SMTP, FTP (for objects captured inthese transmission formats); Telnet, Rlogin, Chat (for communicationconducted using these methods); GZIP, ZIP, TAR (for archives orcollections of other objects); Basic_Source, C++_Source, C_Source,Java_Source, FORTRAN_Source, Verilog_Source, VHDL_Source,Assembly_Source, Pascal_Source, Cobol_Source, Ada_Source, Lisp_Source,Perl_Source, XQuery_Source, Hypertext Markup Language, Cascaded StyleSheets, JavaScript, DXF, Spice, Gerber, Mathematica, Matlab, AllegroPCB,ViewLogic, TangoPCAD, BSDL, C_Shell, K_Shell, Bash_Shell, Bourne_Shell,FTP, Telnet, MSExchange, POP3, RFC822, CVS, CMS, SQL, RTSP, MIME, PDF,PS (for source, markup, query, descriptive, and design code authored inthese high-level programming languages); C Shell, K Shell, Bash Shell(for shell program scripts); Plaintext (for otherwise unclassifiedtextual objects); Crypto (for objects that have been encrypted or thatcontain cryptographic elements); Englishtext, Frenchtext, Germantext,Spanishtext, Japanesetext, Chinesetext, Koreantext, Russiantext (anyhuman language text); Binary Unknown, ASCII Unknown, and Unknown (ascatchall categories).

The signature contained in the Signature and field can be any digest orhash over the object, or some portion thereof, and the Tag Signature cansimilarly be any such digest or hash over the other tag fields or aportion thereof. In one embodiment, a well-known hash, such as MD5 orSHA1 can be used. In one embodiment, the Signature is a digitalcryptographic signature. In one embodiment, a digital cryptographicsignature is a hash signature that is signed with the private key of thecapture system 22. Only the capture system 22 knows its own private key,thus, the integrity of the stored object can be verified by comparing ahash of the stored object to the signature decrypted with the public keyof the capture system 22, the private and public keys being a public keycryptosystem key pair. Thus, if a stored object is modified from when itwas originally captured, the modification will cause the comparison tofail.

Similarly, the signature over the tag stored in the Tag Signature fieldcan also be a digital cryptographic signature. In such an embodiment,the integrity of the tag can also be verified. In one embodiment,verification of the object using the signature, and the tag using thetag signature is performed whenever an object is presented, e.g.,displayed to a user. In one embodiment, if the object or the tag isfound to have been compromised, an alarm is generated to alert the userthat the object displayed may not be identical to the object originallycaptured.

Object Presentation

Data corruption can occur for various reasons in a capture system likethe one described above. For example, objects stored in the contentstore 44 or tags stored in the tag database 42 can experienceinadvertent changes due to electric or mechanic failures of the storagesystem, such as bit-flip errors. Also, an attacker may maliciously alteran object or a tag for inappropriate purposes. Thus, in one embodiment,when a captured and stored object is presented to users, it is firstverified for authenticity.

Presentation of an object may include the displaying, downloading,transferring, returning as a query result, or otherwise accessing of theobject. Verifying the authenticity of an object, in one embodiment,means that the object presented is guaranteed to be identical to theobject when captured. One embodiment, of object verification is nowdescribed with reference to FIG. 7.

In block 102, an object is captured by the capture system 22 asdescribed above with reference to FIG. 3. In block 104, a tag—such asthose of Tables 1 and 2 above—is generated for the object, and the tagfields are populated with the available meta-data about the capturedobjects as determined by the various modules described with reference toFIG. 3.

In block 106, the object signature is generated, such as the Signaturefield described with reference to Table 2 above. In one embodiment, theobject signature is a hash over the object. In one embodiment, theobject signature is not cryptographically signed. In block 108, the tagsignature is generated, such as the Tag Signature field described withreference to Table 2 above. In one embodiment, the tag signatureencompasses all other tag fields, including the object signature.

In block 110, the tag signature is cryptographically signed. In oneembodiment, this is done by signing, i.e., encrypting, the tag signaturewith the private key of the capture device 22. The private key belongsto a public key cryptosystem, thus making it possible to check whetherthe tag signature was indeed produces by the capture device 22 inpossession of the private key. The signed tag signature becomes,therefore, a digital certificate able to verify the authenticity of thetag and the meta-data, including the object signature, containedtherein. In other embodiments, other cryptosystems can be used toencrypt the tag signature in a secure manner.

In block 112, the object and tag signatures are inserted into the tag inthe appropriate fields, and the tag and the object are stored. Betweenblock 112 and 114 some time may elapse. During this time an attacker oran error may compromise the object, the tag, or both. The tag and theobject may be transferred to a storage outside of the capture device,e.g., the content store and tag database may be downloaded to a backupfacility or a file server network. Thus, the entity performing blocks114 to 122 may or may not be the capture system 22 that originallycaptured the object in block 102.

In block 114 a query for the captured object is received. This couldmean that a user requests to download or display the object, that theobject is being provided as part of a larger search, that the object isabout to be displayed or transferred, or any other request for thepresentation of the captured object. In block 116 the tag associatedwith the object is retrieved.

In block 118, the tag is verified using the tag signature generated inblock 108 and stored in the tag. In one embodiment, verifying the tagincludes re-calculating the hash and decrypting the hash of the tag withthe public key of the capture device that captured the object. If thenewly calculated signature matches the tag signature included in thetag, then the tag has not been altered since original storage in block112.

In block 120, the object is verified using the object signaturegenerated in block 106 and stored in the tag. In one embodiment,verifying the object also including re-calculating the hash over theretrieved object and comparing the result with the stored objectsignature generated in block 106. In one embodiment, the objectsignature is not cryptographically signed. Such precaution may beunnecessary, since the object signature is incorporated into the tagsignature (which is a hash over all other tag fields including theobject signature), thus encrypting the object signature by proxy. Inanother embodiment, the object signature is also cryptographicallysigned, and is decrypted using the public key of the capture system 22.In yet another embodiment, neither the tag nor the object signatures aresigned cryptographically.

In one embodiment, if both the tag and object verification issuccessful, then, in block 122, the object is presented in the mannerrequired by the request in block 114. For example, if a user wishes toaccess an object via the user interface 34 of the capture device 22 orsome other device having access to the captured object, then, in block122, the object is displayed to the user. Since the object was verified,it is guaranteed to be in the same condition as it was when captured inblock 102, within the security limits provided by the hash andsignature. Similarly, the meta-data in the tag is also guaranteed to beas originally observed by the capture system 22.

In one embodiment, if either the tag verification in block 118 or theobject verification in block 120 fails, an alert is generated (e.g., amessage) for the user, to alert the user that the object and/or themeta-data related thereto have in some way been altered. The object canstill be presented to the user, however, its authenticity will be put inquestion by the alert. In addition to the alert, in one embodiment, thesystem also determines whether the cause of the verification failure islikely inadvertent error, or malicious manipulation.

General Matters

In several embodiments, the capture system 22 has been described aboveas a stand-alone device. However, the capture system of the presentinvention can be implemented on any appliance capable of capturing andanalyzing data from a network. For example, the capture system 22described above could be implemented on one or more of the servers 14 orclients 16 shown in FIG. 1. The capture system 22 can interface with thenetwork 10 in any number of ways, including wirelessly.

In one embodiment, the capture system 22 is an appliance constructedusing commonly available computing equipment and storage systems capableof supporting the software requirements. In one embodiment, illustratedby FIG. 6, the hardware consists of a capture entity 46, a processingcomplex 48 made up of one or more processors, a memory complex 50 madeup of one or more memory elements such as RAM and ROM, and storagecomplex 52, such as a set of one or more hard drives or other digital oranalog storage means. In another embodiment, the storage complex 52 isexternal to the capture system 22, as explained above. In oneembodiment, the memory complex stored software consisting of anoperating system for the capture system device 22, a capture program,and classification program, a database, a filestore, an analysis engineand a graphical user interface.

Thus, a capture system and an object presentation procedure have beendescribed. In the forgoing description, various specific values weregiven names, such as “objects” and “tags,” and various specific modules,such as the “object store module” and “tag database” have beendescribed. However, these names are merely to describe and illustratevarious aspects of the present invention, and in no way limit the scopeof the present invention. Furthermore, various modules can beimplemented as software or hardware modules, or without dividing theirfunctionalities into modules at all. The present invention is notlimited to any modular architecture either in software or in hardware,whether described above or not.

1.-26. (canceled)
 27. A method, comprising: receiving a request topresent a previously captured object to a user, wherein the capturedobject was intercepted by a capture system configured to interceptpackets from data streams, and store network transmitted objects fromthe data streams according to a capture rule that defines which objectsare to be captured by the capture system; accessing a tag associatedwith the object being requested, the tag containing metadata related tothe object; verifying that the object has not been altered since captureusing an object signature in the tag associated with the object; andpresenting the object if the object and the tag are verified, andwherein if the object is not verified, then an alert is generated toindicate whether the object or the tag has been compromised.
 28. Themethod of claim 27, wherein the tag includes a tag signature, andwherein the tag is verified using a hash, which is decrypted with apublic key of the capture system.
 29. The method of claim 28, whereinthe tag signature comprises a cryptographically secure signature. 30.The method of claim 29, wherein the tag signature is signed using aprivate key of the capture system, the private key being part of apublic key cryptosystem.
 31. The method of claim 27, wherein presentingthe object to the user includes an option for the user to download theobject.
 32. The method of claim 27, wherein the object is stillpresented to the user if the verification fails.
 33. The method of claim27, wherein the capture system is configured to store a documentcaptured by the capture system according to the capture rule, whichidentifies a particular internet protocol (IP) address from which thedocument was sent,
 34. The method of claim 27, wherein verifying thatthe object has not been altered since capture comprises calculating anew object signature for the object, and comparing the new objectsignature with the object signature in the tag associated with theobject.
 35. A capture system, comprising: a memory element and aprocessor, the capture system being configured for: receiving a requestto present a previously captured object to a user, wherein the capturedobject was intercepted by the capture system configured to interceptpackets from data streams, and store network transmitted objects fromthe data streams according to a capture rule that defines which objectsare to be captured by the capture system; accessing a tag associatedwith the object being requested, the tag containing metadata related tothe object; verifying that the object has not been altered since captureusing an object signature in the tag associated with the object; andpresenting the object if the object and the tag are verified, andwherein if the object is not verified, then an alert is generated toindicate whether the object or the tag has been compromised.
 36. Thelogic of claim 35, wherein the tag includes a tag signature, and whereinthe tag is verified using a hash, which is decrypted with a public keyof the capture system.
 37. The logic of claim 36, wherein the tagsignature comprises a cryptographically secure signature.
 38. The logicof claim 37, wherein the tag signature is signed using a private key ofthe capture system, the private key being part of a public keycryptosystem.
 39. The logic of claim 35, wherein presenting the objectto the user includes an option for the user to download the object. 40.The logic of claim 35, wherein the object is still presented to the userif the verification fails.
 41. The logic of claim 35, wherein verifyingthat the object has not been altered since capture comprises calculatinga new object signature for the object, and comparing the new objectsignature with the object signature in the tag associated with theobject.
 42. Logic encoded in one or more tangible media that includescode for execution and when executed by a processor operable to performoperations comprising: receiving a request to present a previouslycaptured object to a user, wherein the captured object was interceptedby a capture system configured to intercept packets from data streams,and store network transmitted objects from the data streams according toa capture rule that defines which objects are to be captured by thecapture system; accessing a tag associated with the object beingrequested, the tag containing metadata related to the object; verifyingthat the object has not been altered since capture using an objectsignature in the tag associated with the object; and presenting theobject if the object and the tag are verified, and wherein if the objectis not verified, then an alert is generated to indicate whether theobject or the tag has been compromised.
 43. The logic of claim 42,wherein the tag includes a tag signature, and wherein the tag isverified using a hash, which is decrypted with a public key of thecapture system.
 44. The logic of claim 43, wherein the tag signaturecomprises a cryptographically secure signature, and wherein the tagsignature is signed using a private key of the capture system, theprivate key being part of a public key cryptosystem.
 45. The logic ofclaim 42, wherein the object is still presented to the user if theverification fails.
 46. The logic of claim 42, wherein presenting theobject to the user includes an option for the user to download theobject.